Re: [TLS] Consistency for Signature Algorithms?
Hubert Kario <hkario@redhat.com> Mon, 24 July 2017 10:49 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF802131C88 for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 03:49:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.923
X-Spam-Level:
X-Spam-Status: No, score=-6.923 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4D0ddJ39fTu for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 03:49:07 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1FFA131C86 for <tls@ietf.org>; Mon, 24 Jul 2017 03:49:07 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4A1B04DB01; Mon, 24 Jul 2017 10:49:07 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 4A1B04DB01
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=hkario@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 4A1B04DB01
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E54107046E; Mon, 24 Jul 2017 10:49:06 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: tls@ietf.org
Date: Mon, 24 Jul 2017 12:49:00 +0200
Message-ID: <166770404.4ZRqQnPX1I@pintsize.usersys.redhat.com>
In-Reply-To: <6f6bf32f-5c73-9213-969a-2fdf1a4c48a2@akamai.com>
References: <3586282.tDsyLpRkWM@pintsize.usersys.redhat.com> <3673860.07CCjCncdc@pintsize.usersys.redhat.com> <6f6bf32f-5c73-9213-969a-2fdf1a4c48a2@akamai.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1710038.rJCjEoHWqz"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Mon, 24 Jul 2017 10:49:07 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GT1_eFhjCkWFiSSUDg7dlJQMIQc>
Subject: Re: [TLS] Consistency for Signature Algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 10:49:10 -0000
On Friday, 21 July 2017 21:37:42 CEST Benjamin Kaduk wrote: > On 07/21/2017 09:34 AM, Hubert Kario wrote: > > On Friday, 21 July 2017 15:38:32 CEST Benjamin Kaduk wrote: > >> On 07/21/2017 08:23 AM, Hubert Kario wrote: > >>> Signature Algorithms for ECDSA now define both the curve and the hash > >>> > >>> algorithm: > >>> ecdsa_secp256r1_sha256(0x0403), > >>> ecdsa_secp384r1_sha384(0x0503), > >>> ecdsa_secp521r1_sha512(0x0603), > >>> > >>> This is in contrast to the TLS 1.2 protocol, where any hash can be used > >>> with any curve. > >> > >> I assume you saw > >> https://www.ietf.org/mail-archive/web/tls/current/msg23714.html which > >> raised a different question in this same general area. > >> > >> I do not see how the response here cannot be the same as it was there: > >> namely, that the current formulation is assumed to have WG consensus, > >> having been through two WGLCs; there would need to be rather strong > >> reasons to make changes at this stage. > > > > MTI (section 9.1) says only that ecdsa_secp256r1_sha256 is mandatory > > (MUST) > > and no word about any of the other two. > > > > given that we already have CAs that use P-384 for signatures. I'd say this > > is a big conflict between theory and practice. > > I'm afraid I don't understand this remark. There is the caveat to which > Ilari alludes, that the server can send whatever chain it has, if the > server can't send a chain that complies with the client's > signature_algorithms. Since certificate validation is assumed to be > largely a function of the PKI library and not really in scope for the > TLS spec itself, this is not particularly problematic. true; that disjoint between "stuff that TLS library is supposed to do" and "stuff that PKI library is supposed to do" could be spelled out more explicitly in the RFC though > The other main > usage of the signature_algorithms limits what can be used in > CertificateVerify, which is directly relevant to TLS and depends on the > key attested to in the certificate. Are you claiming that there are > servers that only possess certificates with p384 keys (i.e., no RSA or > p256 or other fallback cert)? Yes, there are servers that have P-384 keys. Not sure if they have a dual stack (but that is unlikely as only about 30% of servers with ECDSA certs have also RSA cert). On Friday, 21 July 2017 17:00:55 CEST Ilari Liusvaara wrote: > Actually, P-256+SHA512 is allowed with a caveat, even if the > certificate is not self-signed. And with the same caveat, server can > send a certificate signed with P-256+SHA3-512, despite TLS > codepoint for it having never existed (not many clients can validate it > through). the reverse is true too - if your TLS library supports some combinations, the PKIX library MUST support them -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
- [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Ilari Liusvaara
- Re: [TLS] Consistency for Signature Algorithms? Watson Ladd
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Viktor Dukhovni
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Eric Rescorla
- Re: [TLS] Consistency for Signature Algorithms? Blumenthal, Uri - 0553 - MITLL